Claws Mail & S/MIME plugin howto

This howto describes configuring S/MIME for Claws Mail which uses GnuPG. It is
based on Gentoo Linux but should be working fine on every other distribution if
adjusting it accordingly.

As of 16th November 2009 Thawte discontinued their free S/MIME certificates. As
some things of this howto were also somewhat out of date and many things were
based on Thawte, it's time for an update. A big difference to the previous howto
is enabling the use of certificate revocation lists (CRL) which didn't work
properly with Thawte before. I won't use OCSP support because of privacy issues,
see man dirmngr.

Requirements

recent Claws Mail version, recommended: latest available version (v3.7.3 at the time of writing this), because many fixes for S/MIME have been incorporated lately

As you see, it eval's the command, that means, gpg-agent returns an environment
variable and exports it, something like `GPG_AGENT_INFO=xxx; export
GPG_AGENT_INFO`. This means, that you will have to run claws-mail from the same
session, because it will need this environment variable in order to access the
agent. Check gpg-agent(1) for more details on the usual startup customs.

KDE Users

KDE has a way to run scripts and thus export environment variables at startup
time. Every application running in this session will get access to these variables. All
you have to do is create a file under the directory ~/.kde/env/ (if it doesn't
exist, then create it). I named it gpgagent.sh, the content of this shell script
is quite trivial (don't forget to chmod +x):

#!/bin/sh
eval `gpg-agent --daemon`

Also create the directory ~/.kde/shutdown/ and place another shell script in it
(e.g. again gpgagent.sh) with the following contents:

#!/bin/sh
# the second field of the GPG_AGENT_INFO variable is the
# process ID of the gpg-agent active in the current session
# so we'll just kill that, rather than all of them :)
[ -n "${GPG_AGENT_INFO}" ] && kill `echo "${GPG_AGENT_INFO}" | cut -d ':' -f 2`

Importing S/MIME certificates into gpgsm

Regardless whether you have obtained your S/MIME certificate in Mozilla Firefox
or another browser, you have to export/backup it to a PKCS12 (.p12) file
somewhere on your disk. I'm using the filename "certbundle.p12" for this howto,
you can call it as you wish (e.g. $emailaddress_$certdate.p12)

Current versions of GnuPG support importing PKCS12 files directly, there's no
need to use openssl anymore, as described in the previous howto. (If it doesn't
work for you, you can still view the old howto through the history and use
openssl to extract and convert the keys). Gpg-agent has to be properly setup and
running by now.

$ gpgsm --import certbundle.p12

You will be asked to enter your passphrase for the backup file in the pinentry
popup and you then have choose another passphrase for importing it to gpgsm.
This passphrase will be the one you have to enter everytime you want to decrypt
or sign emails (of course there's the possibility to cache the passphrase).

Now one has to add the issuer certificates (CA + intermediate CA) into gpgsm if
they are not already there. The following command will add more than 100 CA certificates
from the ca-certificates package, but you could also only add the specific CA's
for your certificate if you want.

$ gpgsm --import /usr/share/ca-certificates/mozilla/*

Check if your key has been added:

$ gpgsm --list-secret-keys

Configuring GnuPG S/MIME

You'll now have to properly configure GnuPG for S/MIME. As opposed to the
previous howto, we'll also be using certificate revocation list (CRL) support with dirmngr to
be able to detect revoked certificates within the mail client. (It didn't work
before because Thawte has some messed up CRL which GnuPG couldn't handle
properly - but because Thawte doesn't provide S/MIME anymore, we're fine now :)
We only have to import the large Thawte CRL once as all of their certificates
have been revoked.

This is my "$HOME/.gnupg/gpgsm.conf":

disable-policy-checks
auto-issuer-key-retrieve
include-certs -1 # this will include all certificates in the chain up to the root
debug-level basic

You will also probably want to enter the following entry to gpgsm.conf ( use
the fingerprint output from the command "gpgsm --list-secret-keys")

default-key fingerprint_of_your_key

My "$HOME/.gnupg/dirmngr.conf" file only contains the following line, everything
is set to default. Dirmngr will be used for CRL support internally by GnuPG. It
is also possible to setup a system-wide dirmngr daemon which is not part of this
howto (see man page).

debug-level basic

If you encounter any problems with CRL support you can use the old
configuration files from the history in this wiki which disables it. Be aware
that by having imported all CA's dirmngr might encounter a CRL where it can't
fetch it properly and hangs (sometimes happens to me when starting kleopatra).

Importing Thawte CRL and testing CRL support

As of 16th November 2009 all Thawte S/MIME certificates have been revoked. As
dirmngr doesn't automatically work with the Thawte CRL, one has to import them
manually once. A working gpg-agent setup is again needed, then perform the
following steps:

See "[certificate is bad: Certificate revoked]" message instead of
"[certificate is good]".

Setting up the trust

We used the option "allow-mark-trusted" in gpg-agent.conf which allows the
client to mark keys as trusted, i.e. put them in the file
$HOME/.gnupg/trustlist.txt (see man gpg-agent). Hence you should be asked
automatically to trust another key or CA, e.g. it mainly happens for me when I
click on an email in Claws Mail where the CA is missing from trustlist.txt or
when I start the tool "kleopatra" where I'm asked to trust the CAs.

If it doesn't work for you automatically you have to create the file (if it
doesn't exist) "$HOME/.gnupg/trustlist.txt" to add your CA (e.g. Comodo, Thawte)
to the trusted key list. This makes it possible to verify/sign/.../ with your
personal certificate. I also added my own certificate to the trustlist.

Usually one adds the SHA1 fingerprints to the file (not the serial number, and
it doesn't matter whether with or without the colon). With
the following command (borrowed and adjusted from this German howto
http://www.kire.ch/blog/2009/05/07/claws-mail-und-smime-verschlusselung-mit-cacert-zertifikat/)
you can add all your CA's and keys at once (of course you have to trust all the CA's of
the ca-certificate package - if you don't then you have to manually dump the
certificate chain and add the fingerprints accordingly):

Note that when manually changing trustlist.txt or gpg-agent.conf, you need to give
gpg-agent a SIGHUP.

Setting up Claws Mail itself

There's not much you have to configure in Claws Mail. Go to the menu "Configuration - Edit Accounts | choose your account | - Edit - Account - Privacy - Default privacy system" => S-MIME
Set the options to your need, e.g. I've set all but the last (Save sent encrypted as clear text).
As we have configured gpgsm to use a "default key" you can set "Use default GnuPG key" in the Account preferences Plugins/GPG menu.

Working with Claws Mail S/MIME and problems/bugs

If you receive the error message "The signature can't be checked - Unknown IPC Command" and you're using "seahorse-agent" try to switch to the gpg-agent of the GnuPG package.

If you encounter the error message "Couldn't decrypt: No CMS object" then it is likely that your gpgme version is incompatible with Claws Mail. In my tests only v1.1.6 worked, everything newer (1.1.8 and 1.2.0) doesn't work for me! This doesn't necessarily mean that it doesn't work for you. See http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2059

Error message "Cannot sign: General error" usually means that there's something wrong with the gpg-agent (e.g. not running or wrong environment)

If you're an old Thawte user trying to use their offer for a free VeriSign S/MIME certificate with Claws Mail, you're out of luck because GnuPG doesn't support the ancient MD2 algorithm being used by VeriSign for their CA. I've tried getting it to work but never succeeded (except by using Thunderbird), here's a statement from the developer of GnuPG/libgcrypt: http://lists.gnupg.org/pipermail/gpa-dev/2003-October/001482.html

I'm only aware of one problem in Claws Mail, where you'll get "Bad signature" warnings, when you forward (via CM) a signed+encrypted email with an attachment and sign+encrypt the email itself again too.

Error message: Couldn't decrypt: "unsupported algorithm" - this happens when you receive an email which got encrypted with the RC2 algorithm (e.g. some Outlook and some Thunderbird MUAs). I'm currently not aware of a solution on your side, as the underlying libgcrypt doesn't handle it for patent reasons. (see https://intevation.de/roundup/aegypten/issue11 and http://forums.mozillazine.org/viewtopic.php?p=2858116 ) You can ask your email partner to reconfigure their clients though (I know that it works for recent Outlook versions on >=Windows Vista to force certain algorithms).